[wp-trac] Re: [WordPress Trac] #7386: clean_url() shouldn't touch
dollar, asterisk or single quote characters
WordPress Trac
wp-trac at lists.automattic.com
Thu Aug 7 04:53:43 GMT 2008
#7386: clean_url() shouldn't touch dollar, asterisk or single quote characters
-----------------------+----------------------------------------------------
Reporter: sambauers | Owner: anonymous
Type: defect | Status: new
Priority: low | Milestone: 2.7
Component: General | Version: 2.6
Severity: minor | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by markjaquith):
> Sanitizing shouldn't be done in URLs, it should be done, when the page
is printed.
Most uses of {{{ clean_url() }}} are sanitizing URLs for display.
> If it needs it, then the url must always be contained within double
quotes. That should negate the XSS vulnerability.
That's a silly thing to require. A href attribute contained within single
quotes is valid (X)HTML.
--
Ticket URL: <http://trac.wordpress.org/ticket/7386#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list